SolarWinds Security Chief Wants More Clarity for Cyber Execs

Tim Brown of SolarWinds Corp. has advice for corporate security chiefs whose companies have been hacked: Be prepared for your job to change after a cyber incident.

That’s what happened to Brown, SolarWinds’ chief information security officer, after his company in 2020 disclosed it had suffered a far-reaching hack. He was pulled from his day-to-day duties of implementing cyber programs and took on a new outward-facing role focused on strategy and how to move forward.

That continues today.

“We thought the best approach was sharing and making kind of the myth of the nation-state be a reality for people saying that this can’t happen,” Brown told Bloomberg Law. “So for me, my role switched to more of an evangelist on the outside, an explainer of what was going on, and at the same time, a planner for how we become exemplary—but execution side I had to leave to others.”

The SolarWinds data breach, attributed by the US authorities to Russian hackers, impacted hundreds of public companies and several government agencies. The Securities and Exchange Commission sued the company in 2023, alleging it misled investors about its cybersecurity practices and the significance of the incident.

In a first for the agency, the SEC also brought claims against Brown, accusing him of failing to disclose the company’s security vulnerabilities. The case was largely dismissed last year, including most of the claims brought against Brown, and the SEC reached a tentative settlement with the software provider in July. US District Judge Paul A. Engelmayer granted an SEC request for an additional extension to file the settlement paperwork by Oct. 10.

The incident, and the litigation against him, ushered the security officer into the spotlight—where he remains.

“It was: ‘OK, how can I make good from that situation? How can I have people learn some things? How can I have it elevate the CISO role? How can I have it help the community? And the company supported me,” Brown said.

Brown, who has been more than eight years in his role at SolarWinds, said the cyber industry has largely moved away from a victim-blaming mentality as incidents have become more common. What’s still missing, he said, are clear federal regulations that set up security officers for success—like a cyber equivalent to the Sarbanes-Oxley Act that mandates financial reporting obligations.

“I don’t want it to be over-stretching and onerous, but enough for us to say ‘Our programs are good, this is what we’ve done,’” he said. More clarity on reporting structures, policies, and procedures to follow, for example, could help companies to audit themselves against the standards expected of regulators.

“We didn’t have the structure to say ‘these are all the steps you need to take, and here’s how you can check to make sure you’re doing it well, and here’s how you audit those appropriately to be able to show that,’” he said. “That’s one of the things that we need to get into place to be able to give enough flexibility for the CISO community to do their job well and not be looking over their shoulder all the time.”

‘Real Consequences’

Looking ahead, Brown is calling to protect the Cybersecurity Information Sharing Act of 2015. That decade-old law, a key tool for companies to safely share threat information with businesses and government, expired on Sept. 30 when Congress let funding run out.

“Having it stuck in a sort of political limbo is not good for anyone,” he said. “We’ve got something that has worked, and there’s very real consequences for not having appropriate frameworks for us to share.”

Brown stressed the importance of extending the information law: “It’s very important we get it right, simply because our adversaries are not hung up by this. Our adversaries are sharing whatever they want, however they want, without controls in place.”

Brown also said he’s keeping an eye on the future of the Cybersecurity Infrastructure and Security Agency. The agency’s efforts to combat disinformation under the Biden administration were criticized for allegedly suppressing conservative viewpoints. The Trump administration has since terminated hundreds of CISA employees and proposed significant budget cuts to refocus the agency on protecting critical infrastructure.

“CISA was an incredible partner for us throughout the process. And they really amplified the truth,” Brown said, recalling that CISA staff was there “at two in the morning and six in the morning with us.”

“As we go into AI, we’re getting into a very muddy area that needs guidance,” he added. “And CISA can play a very strong role.”